While researching, I see there's a few different ways to achieve this but ideally, I don't want the user to need an app on their phone.
I also want to utilize AD users and not create 'local' users.
Is it possible to do this by specifying the user's phone # in AD, or is creating the 'local' user a companion to the AD record?
Currently, I assign VPN access based on a Security Group in Active Directory.
SMS or even EMAIL MFA comes in hand, but still need a phone tho ;)
https://cookbook.fortinet.com/sms-two-factor-authentication-ssl-vpn/
About the AD and assignment of phone#, that would need further investigation but you can test the above with a local account just to get a feel of it and then look at going to MSAD if you can figure it out or develop a solution. The other option would be by using open radius platform ( i.e freeradius ) where you can you authenticate and use a OTP for the login. Again no app.
Why are you against an tokengenerator app? It's probably 10x better than let's say email or SMS and does not increase any concerns on email or data or sms usage charges?
Ken Felix
PCNSE
NSE
StrongSwan
Onboard the fortigate you have 3 native ways of doing multi-factor authentication. They used to all be available in the GUI, but have moved to CLI only. TLDR- the best method for MFA is generally regarded as token/app based as the others can be intercepted.
You have the fortitoken which can be a hard token or an app on the phone. There is also the option for email and SMS. The SMS can be using Fortinet's built in SMS gateway which is an extra license add-on or via manual SMS gateway entries.
You can set local or remote (LDAP, RADIUS, etc) users up with MFA using this method. Example CLI is below
config user local edit "testuser" set type password <-- this is where you could change to LDAP or RADIUS set two-factor email <-- or set two-factor sms, or fortitoken set email-to "testuser@whatever.com"
You would set up the carrier SMS gateways using "config system sms-server". For example if your email to SMS address is 8005551234@sms.carrier.com then you would create a new entry in sms-server for Carrier with an address of sms.carrier.com. The fortigate would send an email to that address which would arrive as a text message to the user.
However- in general, it is best to use a token based MFA solution where the information is not directly transmitted from the source to the user. Determined attackers have demonstrated methods to intercept MFA messages sent in this way. Many third party MFA providers like Duo and Okta provide methods to integrate with various devices including fortigates in a more secure manner that also makes the user experience better than what the fortigate can provide on its own.
CISSP, NSE4
config user local edit "testuser" set type password <-- this is where you could change to LDAP or RADIUS set two-factor email <-- or set two-factor sms, or fortitoken set email-to "testuser@whatever.com"
Do you know if its possible to do this without adding local users to the fortigate? And defining the MFA type? Here's an example a big org with 200+ users in a vpngroup, you probably do not want to add 200+ local accounts. I do agree using SMS/EMAIL in this day of age is no wise or prudent, imho
Ken Felix
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1759 | |
1116 | |
766 | |
447 | |
242 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.